UK's First-Ever Data Breach Class Action Suit Could Expand Breach Liability
Even with cybersecurity controls in place and an employee acting entirely on his own to breach personal data, a U.K. company could be held liable.
April 24, 2019 at 09:30 AM
4 minute read
Even when an employee acts on his own to breach the company's data, the company could still be held liable, according to U.K. courts involved in the country's first data breach class action lawsuit.
In Various Claimants v. Wm Morrisons Supermarket, a U.K. supermarket chain was able to escape primary liability claims brought by 5,000-plus employees whose data was exposed. However, Morrisons hasn't been able to dissuade U.K. courts to drop the vicarious liability charge. On April 15, the Supreme Court of the United Kingdom decided to hear the appeal.
Lawyers say they are watching the case closely because of the implications of the court finding a company vicariously liable even when it has cybersecurity controls in place and the breach is caused by an employee acting inappropriately on his or her own accord. Vicarious liability in U.K. employment law refers to an employer's liability for its employee's actions.
The case stems from a 2014 incident where a Morrisons senior internal auditor uploaded a file containing nearly 100,000 Morrisons employees' personal data, including their names, addresses, birth dates, phone numbers, bank account numbers and their salaries at Morrisons.
The employee was found guilty of committing the data breach and was sentenced to eight years in prison. Later, 5,000 Morrisons employees whose data was exposed filed a class action suit against the company, claiming the supermarket chain had primary liability under the country's Data Protection Act and had vicarious liability.
The High Court dismissed the primary liability claims but found Morrisons can be held vicariously liable under English common law for the data breach caused by the action of its then-employee.
Morrisons disagreed and appealed to the U.K. Court of Appeal, arguing that the Data Protection Act excluded vicarious liability and that the employee's actions didn't occur during the “course of employment.”
“The headline point is the company could be liable for the actions of their employees even when the employee is doing something they aren't authorized to do,” said Steven Hadwin, Norton Rose Fulbright's risk advisory and cybersecurity head of operations.
While the courts in the Morrisons case have recommended companies use insurance policies to cover vicarious liability, DLA Piper partner and U.K. data protection co-chairman Andrew Dyson suggested companies also implement data loss prevention tools, track what employees are doing with company data and screen a job applicant's prior history to spot any possible issues.
“The ultimate risk [with this approach to vicarious liability] is that a company finds itself responsible for data loss caused by a rogue employee,” Dyson said. ”Loss which it can be very hard, if not impossible, to control. Risk and compliance teams should reflect on this exposure when looking at the adequacy of controls that are in place.”
If the U.K.'s Supreme Court doesn't reverse the lower courts, the decision could also signal to claimants they have another path to gain compensation after a data breach.
“In theory if you want to bring a consumer claim … you have another avenue available to you,” Hadwin said. He added there is an incentive at aiming a suit at a successful company rather than a single individual. “You instead bring a claim against a company and the company has deeper pockets then the individual,” he said.
Indeed, while lawyers said damages for data breaches in the United Kingdom are usually low and hover around $1,300 per claim, a large class such as the 5,000 people suing Morrisons could cost the organization $6.5 million before legal fees.
However, the floodgates haven't necessarily opened for data breach class actions in the United Kingdom. Hadwin noted, “The courts are interpreting the rights that people have under [the General Data Protection Regulation] and compensation restrictively and not overly broad.”
While the Morrisons case has caught lawyers' attention for its legal precedent, the GDPR and constant news of massive data breaches have made consumers more aware of their data rights too.
“More class actions in this area is inevitable just because we have this greater consumer awareness, I suppose, of data protection rights and greater transparency rights,” said Bryony Hurst, a London-based dispute resolution group partner at Bird & Bird.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250